Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
5
Replies

802.1x on Aironet 600

OMAR MASRI
Level 1
Level 1

‎02-04-2013 02:07 AM - edited ‎07-03-2021 11:28 PM

On an AIRONET 600 AP (officeExtend) with the remote LAN interface is configured to use 802.1x authentication:

If a Cisco IP Phone is connected, 801.x authentication challenges for credentials. The AP does not seem to have a way to detect that this is an IP Phone and to skip the challenge (as Cisco switches/routers would do) -

Is there any way around this? Can the remote LAN interface be configured to skip authentication for IP Phone and only authenticate PCs etc..?

Labels:
0 Helpful
5 Replies 5

Amjad Abdullah
VIP Alumni
VIP Alumni

‎02-04-2013 02:23 AM

Salam Omar,

What port that is configured for dot1x authentication? The switch port to which the AP is connected?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

OMAR MASRI
Level 1
Level 1
In response to Amjad Abdullah

‎02-04-2013 02:43 AM

HI

The "remote LAN" port (port 4 - yellow) on the AP 600 is configured for 802.1x - this is done on the WLC.

Thanks

Omar

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to OMAR MASRI

‎02-04-2013 03:33 AM

Omar:

Usually with Cisco switches if you use dot1x auth for ip phones that are not dot1x-capable, you use MAB (MAC Authentication Bypass) and provide the mac address of the phone to the ACS server so it return access-accept radius packet if the mac address is listed.

Now, elaborate more about your situation, you have the mac address of the phone on the ACS and it does not work?
If not, you need to add a MAB entries for the mac addresses on the ACS (or whatever RADIUS server you use) and tell it if no dot1x auth started then allow those mac addresses if they try to connect.

If that is already configured and still does not work some more investigation is needed.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

OMAR MASRI
Level 1
Level 1
In response to Amjad Abdullah

‎02-04-2013 05:01 AM

I guess what I'm trying to find out is if it is possible to bypass the  802.1x process entirely if an IP Phone is connected. I'm not sure this  is possible.

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to OMAR MASRI

‎02-04-2013 05:39 AM

I looked at this very issue myself. The ap600 / wlc doesn't support MAB.

However, if you have ISE I'm told it will extend to OE aps and mab can be used / managed by ISE.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card